You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have used GitHub Personal Access Tokens (PATs) in the past, but after reading that long-term credentials like them that are prone to malware exfiltration attacks (because they are kept in plaintext in standard locations), I'm looking for alternatives.
I've been able to switch my git and aws commandlines to temporary credentials (via the 1Password shell plugins) but the sam cli keeps failing because it seems to require plaintext credentials.
Tried the docs about the local sam cli but it uses plaintext longterm credentials
AWS Identity Center. This requires enrolling "Applications" and I couldn't find any way to do that for the sam cli.
Tried the GitHub page of the template that I actually want to deploy, cognito-restapi It doesn't help with this problem directly, but does help me jump straight to sam deploy -g. This allows me narrow the problem to getting temporary credentials into that invocation. Its Environment Variables section shows that we can pass temporary config, and googling about aws credentials as env vars reveals that the names to use are: AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY. But the doc doesn't say how to delimit them; I discovered that a single space works; a single comma doesn't: AWS_ACCESS_KEY_ID=pasteYoursHere AWS_SECRET_ACCESS_KEY=pasteYoursHere sam deploy -g
This can be made better by using 1Password secret references and op inject to avoid copy/pasting. I think it would look like the following but haven't tested yet: AWS_ACCESS_KEY_ID=<(echo pasteKeyIdSecretRefHere | op inject) AWS_SECRET_ACCESS_KEY=<(echo pasteAccessKeySecretRefHere | op inject) sam deploy -g
What is the SAM team's recommended way of avoiding longterm credentials in plaintext?
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
I have used GitHub Personal Access Tokens (PATs) in the past, but after reading that long-term credentials like them that are prone to malware exfiltration attacks (because they are kept in plaintext in standard locations), I'm looking for alternatives.
I've been able to switch my git and aws commandlines to temporary credentials (via the 1Password shell plugins) but the sam cli keeps failing because it seems to require plaintext credentials.
I have tried these:
sam deploy -g. This allows me narrow the problem to getting temporary credentials into that invocation. Its Environment Variables section shows that we can pass temporary config, and googling about aws credentials as env vars reveals that the names to use are: AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY. But the doc doesn't say how to delimit them; I discovered that a single space works; a single comma doesn't:AWS_ACCESS_KEY_ID=pasteYoursHere AWS_SECRET_ACCESS_KEY=pasteYoursHere sam deploy -gAWS_ACCESS_KEY_ID=<(echo pasteKeyIdSecretRefHere | op inject) AWS_SECRET_ACCESS_KEY=<(echo pasteAccessKeySecretRefHere | op inject) sam deploy -gWhat is the SAM team's recommended way of avoiding longterm credentials in plaintext?
Btw, my sam cli version is 1.114.0
Beta Was this translation helpful? Give feedback.
All reactions